Here are some tips I found while troubleshooting ASA NAT issues.
Verifying Configuration
First thing is that the Auto-NAT is not showing in the show run output of Cisco ASA under object network configuration which is used to configure it.
As an example, I did the following Static Auto NAT config;
Well, it should be there in the running config, but not where I configured..
It is there in the running config, but in a different place, Pipe nat or scroll all the config, you will find it.
View NAT Translation Information
There are few commands to see NAT translations in Cisco ASA.
show nat command will only be a summary, better command will be show nat detail, well for me show nat is a useless command as show nat detail covers it all.
Untranslate hits means in the above example, the traffic is coming from OUTSIDE. Translate hits means coming from DMZ.
Dynamic NAT & PAT Pool Related Issues
show nat pool command can be used to tackle PAT issues like PAT pool exhaustion issues.
Allocated 1 means, one port from 1024-65535 pool is used.
Another useful command is show xlate, specially for verifying PAT translations.
You can bind show xlate command with a local address or a global address for more granular output.
NAT is used to figure out the Egress interface for a traffic flow before even the route lookups/PBRs.
So if the interface pair is misconfigured, the entire flow will be forwarded to a wrong interface dropping the traffic.
object network WEB
host 192.168.10.10
nat (dmz,outside) source static 203.115.50.10
Above configuration tells the ASA that, when 192.168.10.10 tries to move from DMZ to OUTSIDE, it should be translated to 203.115.50.10 and when something hits 203.115.50.10 on OUTSIDE interface, it should be untranslated back to 192.168.10.10 and forward to DMZ interface.
If the DMZ interface is misconfigured here, the traffic is dropped.
show nat divert-table can be useful to find such issues.
No comments:
Post a Comment